I have been passionate about the Web application security field for years which is why I developed w3af. Some have even it called it the "Metasploit" of Web application security. Over the last year or so, I have been thinking how I can personally help to raise the bar for Web application security even further and turn w3af into one of the leading open source security projects.
I am therefore very excited that today I am announcing that Rapid7 is sponsoring the w3af project and that I will be joining Rapid7 as Director of Web security to spearhead Rapid7's worldwide Center of Excellence (COE) for Web security. The first immediate result of the sponsorship is that I have already hired first employee at the COE and will be looking to staff several other engineering positions here in Argentina.
To be clear, Rapid7 is not acquiring w3af. I will keep the keep the project open source, with no plans to change the license or the community development model. What will be changing is how fast we integrate new features, and release new versions with Rapid7's support. I will still be involved in w3af's development process with the classical role of project leader (or Benevolent Dictator For Life or BDFL as some like to call it), but with more time to design the heuristics and algorithms required to maintain the framework as a world class Web application security solution. By creating a COE and sponsoring w3af, Rapid7 will benefit from the extensive security research experience of w3af and use this to enhance its existing NeXpose product line.
I am so excited about the sponsorship and me joining Rapid7 for a number of reasons.
First, Rapid7 has proven that they understand the community and how the cross pollination between open source and commercial solutions can lead to exceptional results. Proof in point is the way Rapid7 has handled the Metasploit Project. It has created commercial versions on top of the open source framework while at the same time accelerating the value of the project. Since getting involved with Metasploit in October 2010, Rapid7 has funded a full-time development team for Metasploit and has released five versions of the open source framework.
Second, Rapid7 has amazing products and technology.Rapid7 has been developing an amazing vulnerability management product in the market for 10 years and has now gained a leadership position in penetration testing with the support of Metasploit as well. What stood out particularly for me is what investment Rapid7 has already made in Web application security. NeXpose is the only vulnerability management solution that has scanning capabilities that address Web 2.0 and AJAX technologies. With this functionality as a baseline, I truly believe that the cross-pollination of w3af and Rapid7 NeXpose will lead to best in class Web application security technology in the near future.
Lastly, w3af will only get better. It will remain free. Like with the Metasploit Framework, w3af will still be open source, which is the reason why it has been so successful. w3af's license and copyrights remain the same. What will change is that you will see a lot more support behind the project. As a matter of fact I am hiring right now so if you are a developer with Python skills and are good at Web application security, please contact me at firstname.lastname@example.org.